8 Ways iPhone Users Give Up Privacy, Threaten Security
Mobile App Permissions Lead To Privacy, Security Lapses, Study finds
Apple's walled-garden approach keeps out many nefarious applications that embed hidden functions designed to steal data. But privacy and security issues still abound for users who are quick to grant permissions to device functionality, according to a recent review of hundreds of applications in the official Apple App Store. Many mobile applications, including some popular names, request permission to access location data, contacts, text and email messages despite lacking functionality that requires access, according to the study, conducted by cloud security vendor Zscaler. Many of the permissions provide access to valuable data that is fed to third-party ad networks. The review of 550 popular iOS applications found that 75 percent of them are linked to advertising networks. The primary message to users concerned about privacy, according to Zscaler, is to carefully scrutinize application privileges before granting them. Here are seven permissions that increase privacy and security risks.
Unique Device Identifiers
Apple started rejecting apps that gather UDIDs after May 2013 following a security incident in which 12 million UDIDs were obtained. The identifying number can connect a device to a user's Apple ID and all the apps and music purchased on the App Store or iTunes. Researchers have demonstrated that the UDIDs could be used to associate a user's identity from anonymous forum or social network posts. The Zscaler study found that 38 percent of applications still have access to the UDID, despite Apple's ban. The identifying number can be used to build a file on an individual containing sensitive information, such as mobile numbers, locations and other information.
Universally Unique Identifier
The Universally Unique Identifier (UUID) was introduced by Apple to limit application developers from tracking users across apps on a device. The new UUID is generated each time an app is installed. However, developers have found a loophole, according to the study. The UUID can be stored in the app's keychain, with sensitive data, making it persistent across app installs. Ninety-two percent of apps reviewed in the Zscaler study were tracking users by the UUID. It included 87 percent of gaming apps and nearly 100 percent of apps in the entertainment category.
Telephony Data Information
Free game apps often come at a cost of giving up precious privacy data, according to the Zscaler study. More than 60 percent of games found in the Apple App store seek permission to gain access to cellular service provider information, including the carrier details and current call information, the study found. Apps in the entertainment, lifestyle, travel and social network categories also frequently request permission to telephony data. Granting permission doesn't necessarily result in a security risk, but it poses a privacy concern, giving access to information that could be used in the future, according to the study.
Calendar Data
Many users grant permission to enable apps to access their calendar information and though giving access may seem harmless, it can be collected and stored to build a profile on a user, security experts say. Permission to calendar data supports the ability of the application read-and-write calendar items and provides events and reminders. The Zscaler study found 60 percent of gaming apps request calendar access, and 70 percent of apps in the gaming category request permission. Providing access to the calendar alone may be harmless, but put together with other information, it can paint a clear picture of the user, their activities and interests, the study found.
Email Access
Apple has put in place restrictions to safeguard against reading a user's email or sending email independently. Granting access to the email functionality on the device will enable an app to send mail with user involvement. The study found that 96 percent of apps are using location APIs and the Email framework to paint a picture of user activity, in addition to providing some functionality.
Apps in the social networking category are the biggest user of the email function, with 96 percent of them requesting access, the study found. A good rule of thumb is to grant permission only if you plan to use email from the app that's requesting information.
Location Tracking
The apps that require location are obvious, such as maps and travel guides, but they also pose an increased risk to businesses, according to Zscaler. Location data collected from executives could leak sensitive corporate information that could be useful to competitors. In addition, privacy advocates say users who plan to post anonymously to forums or social networks also can be traced and linked to their location. When combined with other data, the anonymous post isn't so anonymous anymore. The study found that 76 percent of gaming apps request permission to access the user's location.
Address Book Functionality
The biggest application category seeking to tap into the device address book database is social networking, with 92 percent of apps in this category requesting permission for access. More than half the apps listed in the travel and lifestyle categories request access to the address book, the Zscaler study found. The firm said 47 percent of all the apps it reviewed in the study were linked to Facebook, Twitter, Instagram and other social networks. The functionality, which is intended to be social, can be used in a malicious way, warn security experts. In 2012, Apple removed an app called Find and Call from its official store for spamming user contact lists. The study's advice is to think about whether a game or entertainment app truly needs access to your contacts.
Using Free Versus Paid Apps
If paid versions of apps are available, it may make sense to buy them, rather than risk giving up sensitive information to advertising networks, experts say. All of the apps analyzed in the Zscaler study were free and most had a monetization strategy driven by advertising. The apps use the data it collects for so-called targeted advertising, but it's unclear whether the targeted ads are worth the privacy risk, Zscaler said. "We are being consumed as much, if not more, than we consume," according to the study. "In and of itself, this is not a danger. However as threats -- and even business practices -- evolve, the risk profile of access changes with it. In the case of our findings, while Apple has stated otherwise, it is clear that some developers significantly overreach in permissions requested."